server
| key | default | description |
|---|
| host, port | — | bind address |
| max_body_size | 65536 | POST body limit in bytes; larger requests get 413 |
| trusted_proxies | [] | IPs of reverse proxies whose X-Real-IP / X-Forwarded-Proto headers are honored |
The client IP (rate limits, auto_fields.client_ip) is resolved in one of two deployment modes:
- Exposed directly — keep
trusted_proxies empty: all IP headers are ignored, the TCP connection address is used. - Behind a reverse proxy — list the proxy address (e.g.
["127.0.0.1"]) and make the proxy overwrite X-Real-IP, so a client-supplied value can never get through:
| proxy | config line |
|---|
| nginx | proxy_set_header X-Real-IP $remote_addr; |
| Apache | RequestHeader set X-Real-IP "expr=%{REMOTE_ADDR}" |
| Caddy | header_up X-Real-IP {remote_host} |
| HAProxy | http-request set-header X-Real-IP %[src] |